search

SoftInstigate / restheart

Rapid API Development with MongoDB
https://restheart.org
GNU Affero General Public License v3.0
805 stars 171 forks source link

Connection to RESTHeart without typing your credentials inside of the command #43

Closed orkhanalizade closed 9 years ago

orkhanalizade commented 9 years ago

In documentation writes that I must include my credentials inside of the command:

http PUT 127.0.0.1:8080/myfirstdb -a username:password

But it's not securely to use my credentials inside of the command. Can I connect, authorize, with the credentials from the file based Identity Manager configuration?

mkjsix commented 9 years ago

If you truly want security you must exchange information via SSL, there are no other ways. So you can either activate SSL within RESTHeart or you can put a secure reverse proxy in front of it (Nginx or Apache). For the first option:

(please note that we are slowly moving the documentation to Confluence)

For our internal projects we use Nginx because it is much easier to configure, but that's up to you.

orkhanalizade commented 9 years ago

But in the case that if I'll send my credentials via SSL, are my credentials encrypting and/or can other people find/see my credentials?

ср, 12 авг. 2015 г. в 12:21, Maurizio Turatti notifications@github.com:

If you truly want security you must exchange information via SSL, there are no other ways. So you can either activate SSL within RESTHeart or you can put a secure reverse proxy in front of it (Nginx or Apache). For the first option:

- https://softinstigate.atlassian.net/wiki/display/RH/5.+Advanced+Configuration#id-5.AdvancedConfiguration-SSL

https://softinstigate.atlassian.net/wiki/display/RH/5.+Advanced+Configuration#id-5.AdvancedConfiguration-Security

(please note that we are slowly moving the documentation to Confluence)

For our internal projects we use Nginx because it is much easier to configure, but that's up to you.

— Reply to this email directly or view it on GitHub https://github.com/SoftInstigate/restheart/issues/43#issuecomment-130197605 .

mkjsix commented 9 years ago

In that case you are connecting to a HTTPS URL via SSL and it's exactly like exchanging information with a secure Web server via a browser, nothing less and nothing more. Of course, you should use a self-signed certificate only for development or limited internal usage, for production deployment on a public server you must buy a real SSL certificate from a verified certificate authority (your Internet provider might be one of those, but there are plenty).